New 192.168.x.x subnet option for MH firewalls

[drepouille]

Other than the Lexmark printers in the FHCs requiring a static IP address, I just realized another reason why FHC computers need to be in the 10.x.x.x group. The new Windows 7 product keys are validated by a server in that group, so recently reimaged FHC computers cannot activate Windows outside of that group.

[russellhltn]

I'm not sure how well the 192.168.x.x is going to be able to talk to the 10.x.x.x group even if they know the IP address. So a computer in 192.168.x.x might not be able to print to something in the 10.x.x.x.

[Mikerowaved]

The firewall upgrade is performed by the Technology Manager (TM) tool. Initially only the Global Service Center can upgrade existing Meetinghouse Firewalls, but later Facilities Managers (FMs) and Stake Technology Specialists (STSs) will be granted permissions in the TM Tool to perform the upgrade.

Thanks for the info. When this is ready, will it be available using TM's "FIREWALL UPDATE" tab? I've seen that tab for a long time but thus far have only received a red "System Error" popup when I click on it.

[Biggles]

We don't yet have the date of when FMs/STSs will be able to perform the upgrade. It will likely be within a few weeks, but we want to get more communication out first about the new MH firewall configuration.

russellhltn: The "Facilities Zone" is for MH network devices. Family History will define the type of meetinghouse FH centers to place in the Special Purpose Zone.

And will Family History have the courtesy to inform us STSs of what is expected, in a timely manner? Or will this be revealed by other sources?

[CleggGP]

Answers to posts above:
Russellhltn: Data communication between zones is not permitted, so printing between zones will not happen.
Mikerowaved: When the "Upgrade Firewall Configuration" option is available to FMs/STSs, it will be available in the Tools tab (the tab to the right of the firewall "Usage Statistics" tab).
Biggles: Information will be posted on the forums (and other channels) when information is received about the type of meetinghouse Family History center that will exist in a Special Purpose Zone.

[Biggles]

Many thanks for the quick response to our queries!

[harddrive]

This has been a great thread to follow and I'm glad that I finally got an email in my inbox letting me know that it was here.

As I read this, this is bring up a lot of questions for me and what is the best way to move forward. I like the idea of more IP address for the users because there are buildings that we have maxed out the number of IP addresses on them.

The idea of separating the users from the family history center is another good idea, but I can see a potential huge problem for my buildings. Here are the issues that I see. When a network is installed, all network drops are brought back to central location. Then you put the connection into a switch and then to the port on the router. Unless the switch can create a VLAN on it, we will need to get another switch to separate the family history center from the rest of the network.

2 of my buildings do not have FHC, so this change will not affect me. Then in one of my buildings, I have the FM offices and the question is where would they connect? Would they connect on Port 3 or would they be on port 1 or 2?

Then my other three buildings have official FHC. Two buildings may work fine, because I believe that the FHC have their own switch, but I would have to check before I made any changes. The last building, which is my stake center, is the one that could be a huge question on what to do.

Currently all network drops, including the FHC drops are in the FHC and I have two switches, an 8 port and a 16 port and they are pretty much full. I then put the router in another area of the building so that I can use the wireless portion of it.

So looking at this, this will require us to look at how the FHC's are wired into the buildings, and basically requiring them to have a separate network. For those of us who have already retrofit our buildings, then we need to look at how to make the changes necessary to do this. This may require us to purchase new switches.

This to me will take a lot of planning on my part before I will be totally comfortable making the changes.

Hopefully, I will continue to get emails on this thread and other threads, because this is a big change and I need to plan for the changes. I am subscribed to the forums, but I do NOT get emails on a regular bases. I have mentioned this before and it seems like there is nothing that can be done. I will get a few of these replies, but after a couple of days they stop.

Thanks for listening
Terry

[aebrown]

Russellhltn: Data communication between zones is not permitted, so printing between zones will not happen.

And that means that wireless in FHCs that are within meetinghouses will be very problematic with this new config. Wireless will have to be on the 192.168.x.x subnet, since it services the whole building. But the FHC will be on the new FHC-specific 10.x.x.x zone, including specifically the printer. That means that no devices within the FHC that connect wirelessly can print.

[aebrown]

Then in one of my buildings, I have the FM offices and the question is where would they connect? Would they connect on Port 3 or would they be on port 1 or 2?

I believe CleggGP answered this. In this post, he described the "Facilities Zone (with 13 static addresses for heating/cooling, sprinkler, alarm systems, etc. in the 10.x.x.x space)."

And then in this post, he followed up to say: 'The "Facilities Zone" is for MH network devices.'

That makes it pretty clear that the Facilities Zone on Port 3 is only for those special facilities devices. So the FM offices would be connecting on the regular 192.168.x.x subnet, probably just using DHCP unless they might have a printer or other device that needs a static IP. That subnet is on ports 0 and 1 (2 is reserved for a FHC or some other special-purpose 10.x.x.x subnet).

[russellhltn]

And that means that wireless in FHCs that are within meetinghouses will be very problematic with this new config. Wireless will have to be on the 192.168.x.x subnet, since it services the whole building. But the FHC will be on the new FHC-specific 10.x.x.x zone, including specifically the printer. That means that no devices within the FHC that connect wirelessly can print.

I'm lucky. My FHC is it's own building and has it's own feed from the firewall. But I'm sure most FHCs would be hard to isolate from the rest of the building. FHC computers/printers will have to be on the FHC segment. I'm hoping that it will be OK to include some public on the FHC segment.

But I do have a question - if some WAPs are on the public segment and some are on the FHC one, would that cause problems as members move from one area of the building to another during the block meetings?